It appears to be some sort of portscanner or probe thingy. I haven't seen any programs called "uh". He probably compiled some exploit and gave it a random name. That particular IP is part of index.com.jo's domain. What country is .jo? Take a look in /tmp with an "ls -al" and see if you see anything strange in there. Check your logs, look at /etc/inetd.conf and see if there is a /bin/sh or a /bin/bash in it, look at /etc/passwd and see if there are any new accounts, look for new home directories. If you can, just tar up /etc /var/log and /tmp, save it somewhere, and reformat the box. Who knows what kind of backdoors are left behind. > -----Original Message----- > From: Joseph Johnson [mailto:josephj at mninter.net] > Sent: Wednesday, December 13, 2000 10:11 PM > To: tclug-list at lists.real-time.com > Subject: [TCLUG] Could Someone tell me what might be happening here. > > > > I found this in my history file on a machine that I play > around with when I > decide to try and learn Linux. > (sleep 300 ; killall -9 uh) > w > ./uh 0 212.38.131.178 1 65535 /dev/null & > I am pretty much a perpetual newbie. ( I do not do this > for a living) I > know this systems been compromised. Short of reformatting the > hard drive I > am not to sure what to do. Any help would be appreciated. > Joseph > josephj at mninter.net > > > _______________________________________________ > tclug-list mailing list > tclug-list at lists.real-time.com > https://mailman.real-time.com/mailman/listinfo/tclug-list >